puppet: IP address impersonation
| Package(s): | puppet | CVE #(s): | CVE-2012-3408 | ||||
| Created: | July 30, 2012 | Updated: | August 1, 2012 | ||||
| Description: | From the Red Hat bugzilla:
From puppet labs: Puppet agents with certnames of IP addresses can be impersonated This affects Puppet 2.6.16 and 2.7.17 If an authenticated host with a certname of an IP address changes IP addresses, and a second host assumes the first host's former IP address, the second host will be treated by the puppet master as the first one, giving the second host access to the first host's catalog. Note: This will not be fixed in Puppet versions prior to the forthcoming 3.x. Instead, with this announcement IP-based authentication in Puppet < 3.x is deprecated. Resolved in Puppet 2.6.17, 2.7.18 | ||||||
| Alerts: |
| ||||||